Wireguard Session Manager - Discussion (2nd) thread

[JGrana]

Done. Sent

 

[heysoundude]

To whomever it concerns:

Just found out that NPT6 (network prefix translation ipv6) is available in our routers.

NPT6 is a stateless (no connection tracking involved) address translation that only translates the prefix but keeps the device-suffix. This is the prefferred translation method whenever possible.

I would think everyone here should be concerned - the protocol seems not only more processor efficient (theoretically faster), but more privacy (and security) -inclined as well, as I understand it:
https://en.wikipedia.org/wiki/IPv6-to-IPv6_Network_Prefix_Translation <- there's an interesting reference link there, and Part 2 has a paragraph that states:
"This means that, should you find yourself having to manage the integration of two separate networks and routing domains following a merger, you’ll be able to route between them without any renumbering (or tricky NAT configuration). But, again, this only works if the ULA subnets have been properly generated using the recommended randomization function." which is exactly what we're doing, managing the integration of our LANs with the greater WAN of the internet itself, right?

And maybe this article (that updates the reference link articles I mentioned) will bring everything together in our heads:

ULA is Broken (in Dual-stack Networks)

ULA is Broken (in Dual-stack Networks). I first started outlining some of the difficulties with Unique Local Addresses (ULA, RFC 4193) in the blog post “IPv6 ULA and NAT. Is It Better Than Global Unicast?” back in January of 2014. First: Why you shouldn’t reflexively deploy ULAs and NAT66Second...

blogs.infoblox.com

 

[Martineau]

Done. Sent

Brilliant, although perhaps Pastebin would have saved you having to tediously cut up the debug output into separate PMs!

However, I think I can see the problem..

+ sqlite3 /opt/etc/wireguard.d/WireGuard.db INSERT into session values('wg22','Start','1647599856');
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT auto FROM servers WHERE peer='wg22';
+ [ Y == S ]

wg22 is not defined as a Site-to-site 'server' Peer

e.g. Your wg22 'server' Peer is set AUTO=Y rather than AUTO=S

E:Option ==> peer

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                                  Port   Annotate
wg21    Y     10.50.1.1/24,fd36:7ef1:2add:aa88::1/64  11501  # RT-AX88U (IPv4/IPv6) Server 1
wg22    Y     10.50.2.1/24,2a02:c7f:f0c3:1010::1/64   11502  # RT-AX88U (IPv4/IPv6) Server 2

Can you issue

e  = Exit Script [?]

E:Option ==> peer wg22 auto=s

Now restart wg22 and hopefully the cron job should be created.

 

[ZebMcKayhan]

I would think everyone here should be concerned - the protocol seems not only more processor efficient (theoretically faster), but more privacy (and security) -inclined as well, as I understand it:
https://en.wikipedia.org/wiki/IPv6-to-IPv6_Network_Prefix_Translation <- there's an interesting reference link there, and Part 2 has a paragraph that states:
"This means that, should you find yourself having to manage the integration of two separate networks and routing domains following a merger, you’ll be able to route between them without any renumbering (or tricky NAT configuration). But, again, this only works if the ULA subnets have been properly generated using the recommended randomization function." which is exactly what we're doing, managing the integration of our LANs with the greater WAN of the internet itself, right?

And maybe this article (that updates the reference link articles I mentioned) will bring everything together in our heads:

ULA is Broken (in Dual-stack Networks)

ULA is Broken (in Dual-stack Networks). I first started outlining some of the difficulties with Unique Local Addresses (ULA, RFC 4193) in the blog post “IPv6 ULA and NAT. Is It Better Than Global Unicast?” back in January of 2014. First: Why you shouldn’t reflexively deploy ULAs and NAT66Second...

blogs.infoblox.com

Thanks for the interesting link! The main reason for using ULA+NPT6 would be to use Wireguard server with a dynamic wan prefix. Unfortunately the links does not address this.

Altough as it seems NPT6 is available in our routers and hoping for some good results from @archiel as to wheither it is working or not. If it is working we should, by no doubt, use that instead of NAT6 (masquarade).

But the command is abit tricky and when trying to write script to automatically do this I realized they would need something like wgm "Expand_Ipv6" and "Compress_Ipv6" and eventually to the conclution that I should leave it to more experienced scripters. I don't know if it is in the stars that it comes into wgm, but it is were it belongs.

Currently our routers don't seem to route ula to wan at all, packages don't even reach forwarding, so unwillingly we reached the same conclusion as in your links. Right now the only option is to use some global address (could be from reserved space, like aa-space). Altough a non-optimal solution it would basically solve the problems in the link. But for how long until there are conflicts?

Edit: aah, now I get why I sometimes get the "you have ipv6 but your device does not seem to want to use it" message... My lan is on ula... makes perfect sense now!

 

[JGrana]

Brilliant, although perhaps Pastebin would have saved you having to tediously cut up the debug output into separate PMs!

LOL, indeed! I didn't realize until the third copy/paste

However, I think I can see the problem..

+ sqlite3 /opt/etc/wireguard.d/WireGuard.db INSERT into session values('wg22','Start','1647599856');
+ sqlite3 /opt/etc/wireguard.d/WireGuard.db SELECT auto FROM servers WHERE peer='wg22';
+ [ Y == S ]

wg22 is not defined as a Site-to-site 'server' Peer

e.g. Your wg22 'server' Peer is set AUTO=Y rather than AUTO=S

E:Option ==> peer

        Peers (Auto start: Auto=P - Policy, Auto=S - Site-to-Site)
Server  Auto  Subnet                                  Port   Annotate
wg21    Y     10.50.1.1/24,fd36:7ef1:2add:aa88::1/64  11501  # RT-AX88U (IPv4/IPv6) Server 1
wg22    Y     10.50.2.1/24,2a02:c7f:f0c3:1010::1/64   11502  # RT-AX88U (IPv4/IPv6) Server 2

Can you issue

e  = Exit Script [?]

E:Option ==> peer wg22 auto=s

Now restart wg22 and hopefully the cron job should be created.

Ahh, I see. I think I changed it quite some time ago to wg22.

In any case, wg_manager doesn't allow the auto=2 for wg22:

E:Option ==> peer wg22 auto=s

        ***ERROR Invalid Peer Auto='s' wg22'

Can I rename it to wg21? Or maybe just re-create new on both ends. It's wg22 at both Home and Cabin.

 

[Martineau]

LOL, indeed! I didn't realize until the third copy/paste

Ahh, I see. I think I changed it quite some time ago to wg22.

In any case, wg_manager doesn't allow the auto=2 for wg22:

E:Option ==> peer wg22 auto=s

        ***ERROR Invalid Peer Auto='s' wg22'

Can I rename it to wg21? Or maybe just re-create new on both ends. It's wg22 at both Home and Cabin.

Can you try setting wg22 manually?

e  = Exit Script [?]

E:Option ==> diag sqlX

<snip>

SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.

then at the SQL subsystem sqlite> prompt....two commands

sqlite> UPDATE servers SET auto='S' WHERE peer='wg22';

sqlite> .quit

 

[JGrana]

Can you try setting wg22 manually?

e  = Exit Script [?]

E:Option ==> diag sqlX

<snip>

SQLite version 3.33.0 2020-08-14 13:23:32
Enter ".help" for usage hints.

then at the SQL subsystem sqlite> prompt....two commands

sqlite> UPDATE servers SET auto='S' WHERE peer='wg22';

sqlite> .quit

Ok, did the above, restarted server and now cru l shows the WireGuard_ChkDDNSwg22 entry.

Thanks!

 

[heysoundude]

Thanks for the interesting link! The main reason for using ULA+NPT6 would be to use Wireguard server with a dynamic wan prefix. Unfortunately the links does not address this.

Altough as it seems NPT6 is available in our routers and hoping for some good results from @archiel as to wheither it is working or not. If it is working we should, by no doubt, use that instead of NAT6 (masquarade).

But the command is abit tricky and when trying to write script to automatically do this I realized they would need something like wgm "Expand_Ipv6" and "Compress_Ipv6" and eventually to the conclution that I should leave it to more experienced scripters. I don't know if it is in the stars that it comes into wgm, but it is were it belongs.

Currently our routers don't seem to route ula to wan at all, packages don't even reach forwarding, so unwillingly we reached the same conclusion as in your links. Right now the only option is to use some global address (could be from reserved space, like aa-space). Altough a non-optimal solution it would basically solve the problems in the link. But for how long until there are conflicts?

Edit: aah, now I get why I sometimes get the "you have ipv6 but your device does not seem to want to use it" message... My lan is on ula... makes perfect sense now!

you're most welcome! I like to help...or nudge a train of thought here or there

Fingers crossed @archiel has success/insight/lightning bolt of brilliance. Forward on!

 

[ZebMcKayhan]

you're most welcome! I like to help...or nudge a train of thought here or there

Fingers crossed @archiel has success/insight/lightning bolt of brilliance. Forward on!

FYI, just changed my lan prefix to: aaff:a37f:fa75:1::1/64 instead of fdff:a37f:fa75:1::1/64 and I went from good/mediocre score to great score on test sites. Even the google ipv6 test seems satisfied. Jackpot!

 

[ZebMcKayhan]

@Martineau
After last update, log file is filling up with:

Mar 18 22:30:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 1834 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla'
Mar 18 22:30:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 1837 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:35:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 5621 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:35:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 5623 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:40:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 8206 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:40:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 8207 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:45:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 12037 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:45:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 12034 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:50:01 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 14945 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:50:01 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 14944 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:55:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 18539 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:55:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 18540 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'

Altough I use scribe to send these to discard box, is this intentional? My vpn has been almost weirdly stable for months, it's hardly changing ip every 5 min.

 

[Martineau]

@Martineau
After last update, log file is filling up with:

Mar 18 22:30:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 1834 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla'
Mar 18 22:30:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 1837 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:35:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 5621 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:35:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 5623 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:40:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 8206 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:40:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 8207 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:45:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 12037 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:45:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 12034 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:50:01 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 14945 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'
Mar 18 22:50:01 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 14944 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:55:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 18539 DDNS Endpoint wireguard.net:48574 re-Resolved for 'wg11' Public Key 'blablabla
Mar 18 22:55:00 RT-AC86U-D7D8 (wg_ChkEndpointDDNS.sh): 18540 DDNS Endpoint us.wireguard.net:42911 re-Resolved for 'wg12' Public Key 'blablabla'

Altough I use scribe to send these to discard box, is this intentional? My vpn has been almost weirdly stable for months, it's hardly changing ip every 5 min.

Jason's recommended script appears to blindly resolve the DDNS when the connection is dormant (which makes sense?) presumably in an attempt to ensure that the next packet exchange will resolve correctly.

I guess there is no need to write the message - so I'll suppress it in the next release.

 

[ZebMcKayhan]

Updated Ipv6 server part for dynamic wan ips, it is now confirmed working:
https://github.com/ZebMcKayhan/WireguardManager/edit/main/README.md#setup-wg-server

Put in the NPT6 part as well but mostly for reference and still experimental.

 

[ZebMcKayhan]

Uploaded wireguard_manager Beta v4.16b6

Minor bug fix, but should (finally) improve the statistics metrics displayed on screen for 'client' Peers.

P.S. @ZebMcKayhan In fixing the comment/tag update issue, this may also fix the inability to delete your 'server' Peers, together with suppressing (by default) the re-resolv DDNS Syslog message although they can now be optionally issued.

Update wg_manager.sh · MartineauUK/wireguard@8f33e03

FIX: Unable to change comment tag for 'device' Peer Default 'iPhone X 10.50.1.3/32 10.88.8.1 0.0.0.0/0 # iPhone "Device"'...

github.com

To upgrade use

e  = Exit Script [?]

E:Option ==> uf dev

Thanks,

Some error message when creating the server:

E:Option ==> peer new ip=192.168.100.1/24 ipv6=aaff:a37f:fa75:100:100::1/120

        Press y to Create (IPv4/IPv6) 'server' Peer (wg21) 192.168.100.1/24,a
aff:a37f:fa75:100:100::1/120:11501 or press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv4/IPv6) 'server' P
eer wg21 on RT-AC86U (v386.5_0)
        Press y to Start (IPv4/IPv6) 'server' Peer (wg21) or press [Enter] to
 SKIP.
y

        Requesting WireGuard VPN Peer start (wg21)

        WireGuard-serverwg21: Initialising WireGuard VPN (IPv6) [aaff:a37f:fa
75:6::1] 'Server' Peer (wg21) on 192.168.100.1,[aaff:a37f:fa75:100:100::1]:11
501 (# RT-AC86U (IPv4/IPv6) Server 1)
Error: inet6 prefix is expected rather than "192.168.100.1/24,aaff:a37f:fa75:
100:100::1/120".
        WireGuard-serverwg21: Initialisation complete.

For some reason, the server is created on aaff:a37f:fa75:6::1 which I dont know how it obtain. This is wl1.2 subnet and does not exist in nvram variables or as default route or on eth0.

The error message suggest some parsing/scrubbing issue.

Edit: still cant delete device peer peer test del properly. Device test is removed from the list when issuing peer and the conf files are removed, still peer wg21 del asks to re-assign the device test.

Edit2:

E:Option ==> start wg21 debug

        Requesting WireGuard VPN Peer start (wg21)

        WireGuard-serverwg21: Initialising WireGuard VPN (IPv6) [aaff:a37f:fa
75:6::1] 'Server' Peer (wg21) on 192.168.100.1,[aaff:a37f:fa75:100:100::1]:11
501 (# RT-AC86U (IPv4/IPv6) Server 1)
[#] ip link add dev wg21 type wireguard
[#] ip -6 link add dev wg21 type wireguard
[#] wg set wg21 fwmark 11501
[#] wg setconf wg21 /tmp/wg21.11765 #(/opt/etc/wireguard.d/wg21.conf)
[#] ip link set up dev wg21
[#] ip -6 link set up dev wg21
[#] ip -6 address add dev wg21 192.168.100.1/24,aaff:a37f:fa75:100:100::1/120
Error: inet6 prefix is expected rather than "192.168.100.1/24,aaff:a37f:fa75:
100:100::1/120".
[#] ifconfig wg21 mtu 1420
[#] ifconfig wg21 txqueuelen 1000
[#] ip route add default dev wg21 table 210

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg21
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00-00
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

[Martineau]

Thanks,

Some error message when creating the server:

E:Option ==> peer new ip=192.168.100.1/24 ipv6=aaff:a37f:fa75:100:100::1/120

        Press y to Create (IPv4/IPv6) 'server' Peer (wg21) 192.168.100.1/24,a
aff:a37f:fa75:100:100::1/120:11501 or press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv4/IPv6) 'server' P
eer wg21 on RT-AC86U (v386.5_0)
        Press y to Start (IPv4/IPv6) 'server' Peer (wg21) or press [Enter] to
SKIP.
y

        Requesting WireGuard VPN Peer start (wg21)

        WireGuard-serverwg21: Initialising WireGuard VPN (IPv6) [aaff:a37f:fa
75:6::1] 'Server' Peer (wg21) on 192.168.100.1,[aaff:a37f:fa75:100:100::1]:11
501 (# RT-AC86U (IPv4/IPv6) Server 1)
Error: inet6 prefix is expected rather than "192.168.100.1/24,aaff:a37f:fa75:
100:100::1/120".
        WireGuard-serverwg21: Initialisation complete.

For some reason, the server is created on aaff:a37f:fa75:6::1 which I dont know how it obtain. This is wl1.2 subnet and does not exist in nvram variables or as default route or on eth0.

The error message suggest some parsing/scrubbing issue.

Edit: still cant delete device peer peer test del properly. Device test is removed from the list when issuing peer and the conf files are removed, still peer wg21 del asks to re-assign the device test.

Edit2:

E:Option ==> start wg21 debug

        Requesting WireGuard VPN Peer start (wg21)

        WireGuard-serverwg21: Initialising WireGuard VPN (IPv6) [aaff:a37f:fa
75:6::1] 'Server' Peer (wg21) on 192.168.100.1,[aaff:a37f:fa75:100:100::1]:11
501 (# RT-AC86U (IPv4/IPv6) Server 1)
[#] ip link add dev wg21 type wireguard
[#] ip -6 link add dev wg21 type wireguard
[#] wg set wg21 fwmark 11501
[#] wg setconf wg21 /tmp/wg21.11765 #(/opt/etc/wireguard.d/wg21.conf)
[#] ip link set up dev wg21
[#] ip -6 link set up dev wg21
[#] ip -6 address add dev wg21 192.168.100.1/24,aaff:a37f:fa75:100:100::1/120
Error: inet6 prefix is expected rather than "192.168.100.1/24,aaff:a37f:fa75:
100:100::1/120".
[#] ifconfig wg21 mtu 1420
[#] ifconfig wg21 txqueuelen 1000
[#] ip route add default dev wg21 table 210

admin@RT-AC86U-D7D8:/tmp/home/root# ifconfig wg21
wg21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00-00
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I've deleted the commit

Please backout the commit

e  = Exit Script [?]

E:Option ==> uf dev

Please can you test the following for the parsing issue....

e.g. issue on the command line

SUBNET="192.168.100.1/24,aaff:a37f:fa75:100:100::1/120"

echo $SUBNET

echo ${SUBNET//,/ }

 

[ZebMcKayhan]

I've deleted the commit

Please backout the commit

e  = Exit Script [?]

E:Option ==> uf dev

Please can you test the following for the parsing issue....

e.g. issue on the command line

SUBNET="192.168.100.1/24,aaff:a37f:fa75:100:100::1/120"

echo $SUBNET

echo ${SUBNET//,/ }

admin@RT-AC86U-D7D8:/tmp/home/root# SUBNET="192.168.100.1/24,aaff:a37f:fa75:100:100::1/120"
admin@RT-AC86U-D7D8:/tmp/home/root# echo $SUBNET
192.168.100.1/24,aaff:a37f:fa75:100:100::1/120
admin@RT-AC86U-D7D8:/tmp/home/root# echo ${SUBNET//,/ }
192.168.100.1/24 aaff:a37f:fa75:100:100::1/120

 

[heysoundude]

Updated Ipv6 server part for dynamic wan ips, it is now confirmed working:
https://github.com/ZebMcKayhan/WireguardManager/edit/main/README.md#setup-wg-server

Put in the NPT6 part as well but mostly for reference and still experimental.

I feel as if "critical mass" might be achieved shortly, if I'm reading things right.
I wonder if WireGuard's originator might be interested enough to poke his head in at this point...

 

[ZebMcKayhan]

I feel as if "critical mass" might be achieved shortly, if I'm reading things right.

Cant wait on your feedback after trying it out!

 

[Martineau]

admin@RT-AC86U-D7D8:/tmp/home/root# SUBNET="192.168.100.1/24,aaff:a37f:fa75:100:100::1/120"
admin@RT-AC86U-D7D8:/tmp/home/root# echo $SUBNET
192.168.100.1/24,aaff:a37f:fa75:100:100::1/120
admin@RT-AC86U-D7D8:/tmp/home/root# echo ${SUBNET//,/ }
192.168.100.1/24 aaff:a37f:fa75:100:100::1/120

Thanks,

I've experienced weird issues like this before...it should always work in a script but in some cases doesn't, so I've reverted to old-skool slower code

echo ${SUBNET//,/ }

changed to

echo $(echo "$SUBNET" | tr ',' ' ')

Anyway uploaded wireguard_manager Beta v4.16b7

Use

e  = Exit Script [?]

E:Option ==> uf dev

 

[heysoundude]

Updated Ipv6 server part for dynamic wan ips, it is now confirmed working:
https://github.com/ZebMcKayhan/WireguardManager/edit/main/README.md#setup-wg-server

Put in the NPT6 part as well but mostly for reference and still experimental.

This is a big deal, being able to follow ISP-initiated WAN IP changes - it (if I understand things correctly) does away with needing to set up DDNS tunneling, and maybe even FQDNs with HTTPS certs. Possibly (and this is a stretch) get out from behind IPv4 CGNAT

FYI, just changed my lan prefix to: aaff:a37f:fa75:1::1/64 instead of fdff:a37f:fa75:1::1/64 and I went from good/mediocre score to great score on test sites. Even the google ipv6 test seems satisfied. Jackpot!

This would make your router (or should we just call it our WG server?) much more private I think, and tunnel more secure. (basically you're your own VPN)
I'm just not sure how you've accomplished making this change, where in the router GUI to find it; by selecting/configuring Native IPv6, I don't get the option: it auto-populates...I may be missing something. Is it a command line thing, why you've added scripts? (the thought occurred when reading the github that anyone with a /48 should know how to amend the scripts themselves if they've come this far) (it's not the best time of day for me to use my brain on this stuff)

(NOTE: to anyone trying to follow this pages-long thread, STOP. Go to the README on Zeb's github. it's all very clear there, laid out in easy progression)

 

[ZebMcKayhan]

Thanks,

I've experienced weird issues like this before...it should always work in a script but in some cases doesn't, so I've reverted to old-skool slower code

echo ${SUBNET//,/ }

changed to

echo $(echo "$SUBNET" | tr ',' ' ')

Anyway uploaded wireguard_manager Beta v4.16b7

Use

e  = Exit Script [?]

E:Option ==> uf dev

Thanks, no problems with creating server peer, or delete devices anymore:

E:Option ==> peer new ip=192.168.100.1/24 ipv6=aaff:a37f:fa75:100:100::1/120

        Press y to Create (IPv4/IPv6) 'server' Peer (wg21) 192.168.100.1/24,a
aff:a37f:fa75:100:100::1/120:11501 or press [Enter] to SKIP.
y
        Creating WireGuard Private/Public key-pair for (IPv4/IPv6) 'server' P
eer wg21 on RT-AC86U (v386.5_0)
        Press y to Start (IPv4/IPv6) 'server' Peer (wg21) or press [Enter] to
 SKIP.
y

        Requesting WireGuard VPN Peer start (wg21)

        WireGuard-serverwg21: Initialising WireGuard VPN (IPv6) [aaff:a37f:fa
75:6::1] 'Server' Peer (wg21) on 192.168.100.1,[aaff:a37f:fa75:100:100::1]:11
501 (# RT-AC86U (IPv4/IPv6) Server 1)
        WireGuard-serverwg21: Initialisation complete.


<snip>

E:Option ==> peer test del

        Deleting 'device' Peer (test)

        Press y to CONFIRM or press [Enter] to SKIP.
y
        'device' Peer test removed from 'server' Peer (wg21)
        'device' Peer test DELETED

        WireGuard 'server' Peer needs to be restarted to remove 'client' Peer

        Press y to restart 'server' Peer (wg21) or press [Enter] to SKIP.
y

        Requesting WireGuard VPN Peer restart (wg21)

        Restarting Wireguard 'server' Peer (wg21)

<snip>

E:Option ==> peer wg21 del

        Deleting 'server' Peer (wg21)

        Press y to CONFIRM or press [Enter] to SKIP.
y

        Requesting WireGuard VPN Peer stop (wg21)

        WireGuard-serverwg21: WireGuard VPN (IPv6) [aaff:a37f:fa75:6::1] 'Ser
ver' Peer (wg21) on 192.168.100.1,[aaff:a37f:fa75:100:100::1]:11501 (# RT-AC8
6U (IPv4/IPv6) Server 1) Terminated

        'server' Peer wg21 DELETED

tried out the new experimental ula generator, and it worked after installing the required package:

E:Option ==> peer new ipv6 ula

        Press y to Create (IPv4/IPv6) 'server' Peer (wg21) 10.50.1.1/24,fd00:
50:1::1/64:11501 or press [Enter] to SKIP.


E:Option ==> ipv6 ula

        *** ERROR IPv6 ULA generate function requires Entware 'date' module (
coreutils-date)


admin@RT-AC86U-D7D8:/tmp/home/root# opkg install coreutils-date
Installing coreutils-date (8.32-6) to root...
Downloading https://bin.entware.net/aarch64-k3.10/coreutils-date_8.32-6_aarch
64-3.10.ipk
Configuring coreutils-date.


E:Option ==> ipv6 ula

        On Tue 22 Mar 2022 07:50:54 PM CET, Your IPv6 ULA is 'aaf6:2013:d6bd:
:1/64' (Use 'aaf6:2013:d6bd::1/64' for Dual-stack IPv4+IPv6)

E:Option ==> peer new ipv6 ula

        Press y to Create (IPv4/IPv6) 'server' Peer (wg21) 10.50.1.1/24,fd06:
cb22:5380::1/64:11501 or press [Enter] to SKIP.

wierd that ipv6 ula gives aa prefix in both cases, thought it would give fd and suggest to use aa. But when creating the peer it gives fd (which makes sense if the generated ula proposed fd).

Great work!